0.11.25
Breaking Changes📦 uvView on GitHub →
⚠ 1 breaking✨ 10 features🐛 2 fixes🔧 1 symbols
Summary
This release (0.11.25) focuses on security hardening by updating the tar library, alongside numerous enhancements related to lockfiles, dependency scoping, and build backend recommendations. Several preview features for workspace management and environment centralization are also introduced.
⚠️ Breaking Changes
- uv may reject source distributions with malformed or ambiguous content that were previously accepted due to updates in the underlying tar library to harden tar handling against parser differentials.
Migration Steps
- Review source distributions that were previously accepted, as uv may now reject those with malformed or ambiguous content due to updated tar parsing security hardening.
✨ New Features
- Added a full "lockfile" to tool receipts.
- Allowed scoped overrides to add dependencies.
- Avoided writing redundant lockfile markers with `tool.uv.environments`.
- Factored supported environments out of lockfile markers.
- Recommended uv's own build backend in the build frontend.
- Rejected wheels with multiple .dist-info directories.
- Simplified dependency markers under parent reachability.
- Supported scoped dependency exclusions.
- Supported scoped dependency overrides.
- Added explanation for why files are skipped during registry index parsing.
🐛 Bug Fixes
- Preserved standalone markers in workspace metadata.
- Rejected `uv build` if the cache dir is enclosed.